🛡️ Cybersecurity Final Exam – Capture The Flag

Welcome to your Penetration Testing final exam.

This CTF has two main parts:

1. 🧠 A Jeopardy-style knowledge round
2. 🛠 A hands-on VM lab round

You will demonstrate both conceptual understanding and practical skills across the full attack chain.

---

🧠 Phase 1 – Jeopardy Knowledge Round

In the first phase, you will complete a Jeopardy-style question set:

• ✅ 4 categories
• ✅ 10 questions per category (total of 40 questions)
• ✅ Questions in each category are progressive

Progressive unlocking:

• Within each category, you must solve Question 1 to unlock Question 2,
  then solve Question 2 to unlock Question 3, and so on.
• You are expected to complete all 4 categories of 10 questions each.

These questions are designed to test:

• Ethical hacking concepts
• Tool usage and methodology
• Real-world penetration testing reasoning

They are intentionally written to be human-thinking questions, not something you can just throw at an AI and get a trivial answer.

You will find these Jeopardy-style challenges on the Challenges page under the appropriate Jeopardy categories.

---

🛠 Phase 2 – VM Lab Round

In the second phase, you move from theory to practice.

You will attack four vulnerable VMs, each with 10 flags:

• vm1recon – Network and service reconnaissance
• vm2web – Web exploitation and misconfigurations
• vm3priv – Linux privilege escalation
• vm4pivot – Internal pivoting and lateral movement

That’s 4 VMs × 10 flags = 40 lab challenges.

VM availability

• All VM challenges are presented at once in CTFd.
• You can see all VM categories from the start, but it is strongly recommended you tackle them in order:

1. VM1 – Recon
2. VM2 – Web Exploitation
3. VM3 – Privilege Escalation
4. VM4 – Internal Pivot & Lateral Movement

Detailed instructions for each VM (access details, objectives, and rules) are on the VM info page:

👉 https://<your-domain>/vms

---

🎯 Where to Start

1️⃣ Review VM Info

Before diving deep into the labs, skim the VM descriptions and rules:

👉 https://<your-domain>/vms

This page explains:

• IPs and credentials
• What each VM focuses on
• Any special constraints or expectations

2️⃣ Begin with Jeopardy Challenges

Then start Phase 1 on the challenges page:

👉 https://<your-domain>/challenges

Look for the Jeopardy-style categories and work through them in order:

• 4 categories
• 10 questions each
• Each question unlocks the next in its category

3️⃣ Move into VM Challenges

Once you’ve warmed up on the Jeopardy questions, focus on the VM categories:

• vm1recon
• vm2web
• vm3priv
• vm4pivot

Each VM category contains 10 challenges, one per flag.

---

🏷️ Flag Format

Inside each VM, flags are shown like:

FLAG-0X: some_text_here

When submitting in CTFd, you will use the CTF-style format, for example:

flag{vm2_config_leak}

⚠️ Rules of Engagement

• ❌ Do not attack any systems outside the provided lab environment.
• ❌ Do not perform heavy brute force beyond light, wordlist-based testing.
• ❌ Do not intentionally destroy or corrupt the VMs.
• ✅ You may use Kali, standard offensive tools, SSH pivoting, tunneling, and local privesc scripts.
• ✅ You should take notes, screenshots, and capture command histories for your final report.

📝 Final Deliverables

You are expected to turn in:

• ✅ All Jeopardy answers (via CTFd)
• ✅ All VM flags (via CTFd)
• ✅ A written report that includes:
  • Your methodology for each VM
  • Key tools and commands used
  • Screenshots or evidence of compromise

🚀 Good Luck

Start by reviewing the VM info:

👉 VMs

Then begin solving:

👉 Challenges

Think like an attacker. Document like a professional. And remember: enumeration is everything.